The adoption rate of Microsoft Teams over the last few years has been nothing short of astonishing. In 2019, just prior to the onset of the COVID-19 pandemic, Microsoft's collaboration platform had around 20 million users. As of 2022 (the most recent stats available), the number of active users sits at 270 million! This incredible growth is a testament to the benefits that Teams offers organizations—especially in an environment where many employees are working remotely.
That said, the legal and compliance challenges that this relatively new technology introduces are now also becoming worryingly clear. The prevalence of Microsoft Teams data in legal matters is a major concern for in-house legal professionals, with a staggering 85% reporting collaboration app data, specifically Microsoft Teams data, as the most frequently encountered data type in their work. This information comes from a study conducted by Pagefreezer and the Association of Certified E-Discovery Specialists (ACEDS).
Regulators are also showing serious concern when it comes to messaging apps and team collaboration platforms like Teams. The Securities and Exchange Commission (SEC) levied major fines at the end of 2021 and the Department of Justice (DOJ) also weighed in with some strong commentary. The DOJ stated the following in relation to the evaluation of corporate compliance programs:
Messaging applications have become ubiquitous in many markets and offer important platforms for companies to achieve growth and facilitate communication. In evaluating a corporation’s policies and mechanisms for identifying, reporting, investigating, and remediating potential misconduct and violations of law, prosecutors should consider a corporation’s policies and procedures governing the use of personal devices, communications platforms, and messaging applications, including ephemeral messaging applications.
Policies governing such applications should be tailored to the corporation’s risk profile and specific business needs and ensure that, as appropriate and to the greatest extent possible, business-related electronic data and communications are accessible and amenable to preservation by the company. Prosecutors should consider how the policies and procedures have been communicated to employees, and whether the corporation has enforced the policies and procedures on a regular and consistent basis in practice.
In other words, ignoring the compliance implications of messaging apps and collaboration platforms is no longer an option. Until now, these apps and platforms often existed in a grey area where compliance obligations were not explicitly stated across all industries.
The DOJ is making it clear that the above will no longer be the case. Pleading ignorance or simply stating that communications were not retained for compliance purposes will not be acceptable. Organizations must ensure that systems and processes are put in place to ensure recordkeeping compliance.
What does this mean for companies in practical terms? The section below offers nine steps that companies should take to ensure that use of Microsoft Teams aligns with legal and compliance requirements.
Dealing with the Legal & Compliance Risks of Microsoft Teams
1. Know the Data Landscape
The complexity of the Microsoft ecosystem means that data can be spread across multiple locations, making it even more challenging for legal and compliance teams to locate specific information. For instance, a single conversation in Teams can generate data in multiple locations, including chat messages, shared files, and call records. Additionally, the location of the data can change depending on the user's settings and the type of collaboration tool used. Therefore, it's essential for organizations to have a comprehensive understanding of the data landscape in order to ensure that they can effectively manage legal and compliance risks. This includes knowing where data is stored, how it's accessed, and who has permission to view, edit, or delete it. By having a clear understanding of the data landscape, organizations can more easily locate and preserve data in response to legal or compliance requests, reducing the risk of fines, legal action, or damage to reputation.
2. Know the Capabilities (and Limits) of Microsoft Purview
Many organizations assume that Microsoft Purview, with its dedicated eDiscovery solution, is all that's needed to ensure that legal and compliance departments have adequate access to Microsoft Teams records. This is not necessarily the case. First, a top-tier E5 Microsoft 365 license is needed to get access to the robust eDiscovery Premium solution; companies on the far more common E3 license only have access to the more limited eDiscovery Standard. Second, even eDiscovery Premium has certain limitations. For instance, Teams conversations cannot be exported in the popular and user-friendly PDF format. (Learn more about Microsoft Teams and Purview in this guide.)
3. Set Clear Policies
To cultivate an environment where legal and compliance risks are minimized while still fostering a sense of trust and privacy for employees, it's essential to set clear policies. Formal policies should be established to regulate the use of an enterprise collaboration platform, including a communication policy that outlines acceptable behavior and a security policy that outlines data monitoring and protection measures. These policies should not only explain how the platform is managed but also the reasoning behind certain actions. It's crucial to maintain transparency, such as clearly stating if conversations are monitored or if managers have access to private messages and channels.
4. Provide Teams Training
One of the most effective ways to combat improper use of a team collaboration tool is to provide mandatory training for employees. It's important to outline acceptable behavior and company policies in detail, rather than expecting employees to read and sign these policies on their own. By incorporating this training as a regular part of onboarding, organizations can foster a sense of trust while minimizing legal and compliance risks. Although this can be time-consuming, it's a crucial step in creating a secure and productive environment for employees.
5. Manage Users, Groups, and Roles
To maintain control over the creation of private or public channels, it's crucial to limit users' permissions. As an organization grows, it's wise to restrict channel creation to designated personnel. Wide-reaching channels can be overwhelming and cause chaos, so it's recommended to limit posting capabilities to select individuals. In cases where executives require access to private channels and conversations, it's important to limit it to essential stakeholders and communicate the reasoning to employees.
6. Find the Shadow IT
Unauthorized collaboration tools, commonly known as "shadow IT," can jeopardize data security. Employees may use such tools to maintain privacy in their conversations or implement them without proper authorization. A 2019 survey revealed that 67% of teams in large companies introduced their own collaboration tool without any input from other departments. Compliance teams and IT departments must identify and manage all collaboration tools used within the organization to minimize the threats associated with shadow IT.
7. Monitor Intelligently
Businesses can now safeguard against data loss with the help of modern monitoring and data loss prevention tools without employees feeling like their privacy is being invaded. These intelligent tools streamline the process and only require human intervention when suspicious activity is detected. They utilize extensive keyword libraries to monitor conversations in real-time, eliminating the need for anyone to spy on members of staff. These libraries are specifically designed to flag inappropriate language and sensitive data, such as credit card numbers, and immediately notify administrators if any of these keywords appear.
8. Collect and Preserve Data
To ensure legal compliance and proper evidence collection, organizations must preserve all relevant data, including edited and deleted content, in a format admissible by law. The best solution is to use an eDiscovery tool that automates the process, making it easy for legal and compliance teams to access, search, and export evidence without requiring any IT department involvement. By collecting and preserving data in this manner, organizations can safeguard themselves against legal risks and ensure that their evidence is authenticated in court.
9. Manage Data Retention Settings
Proper management of data retention settings is crucial for the eDiscovery of team collaboration tools like Microsoft Teams. It is imperative to align the retention periods for channels and conversations with the organization's overall retention policies. While it is necessary not to retain messages indefinitely, it is equally important not to delete data too quickly, as this could prevent legal, compliance, and HR teams from accessing necessary records. By setting retention settings correctly, organizations can ensure that they have access to the data they need while minimizing legal and compliance risks.
Adapting Legal & Compliance Programs to Messaging Apps and Collaboration Platforms
As more and more organizations adopt team collaboration tools like Slack or Microsoft Teams, it's critical to recognize the unique nature of this new form of communication. Unlike traditional email, which is often more formal and thought-out, team collaboration tools are more akin to in-person conversations where people may speak more casually and without the same filter they might use in more formal settings. This can lead to moments of frustration, humor that falls flat, or comments made without fully considering their implications.
One of the key challenges in this new environment is the fact that these fleeting moments can be captured and stored indefinitely on collaboration tools. This can potentially create legal and compliance risks for organizations if inappropriate conversations or behavior are recorded and used against them in the future. To balance these risks with the need for employee expression and collaboration, organizations must establish clear policies for the use of team collaboration tools.
One important aspect of these policies is the need for active monitoring and enforcement. While it's important to give employees the benefit of the doubt and consider the context of their comments, it's equally important to ensure that inappropriate behavior or conversations are addressed in a timely and appropriate manner. This can involve everything from monitoring conversations for sensitive keywords to limiting user permissions to designated personnel.
Another key element of these policies is the need to promote psychological safety and effective teamwork. By creating an environment where employees feel comfortable expressing themselves and working collaboratively, organizations can foster a culture of innovation and productivity. At the same time, it's important to recognize that this must be balanced with the need for legal and compliance safeguards.
Ultimately, as organizations navigate the use of team collaboration tools like Microsoft Teams, it's essential to establish guidelines that reflect the unique requirements of this new form of communication. By actively monitoring and enforcing policies while also promoting psychological safety and effective teamwork, organizations can balance legal and compliance risks with employee expression to create a secure and productive environment for all.
Want to learn more? Read our guide, The Complete Microsoft Teams Field Guide for Legal & Compliance Teams. Simply click the button below.